Most business owners who have had a site compromised assume someone targeted them specifically. A competitor, maybe, or someone with a grievance. In almost every case, that is not what happened.

Bots do not know who you are. They run automated scans across large ranges of IP addresses, probing every address they find for known vulnerabilities. Your site did not get hit because you did something to attract attention. It got hit because it is on the internet.

What an Automated Scan Looks Like

A single bot operation might probe hundreds of thousands of IP addresses per day. For each address hosting a website, it runs a standard sequence: check for known CMS signatures, probe default login paths, test for unpatched software versions, try common username and password combinations.

This takes seconds per site. It is not a person at a keyboard. It is software running on a network of compromised machines, working through a list.

The Default Path Problem

Every major CMS installs with a predictable file structure. WordPress puts its login at /wp-login.php and its admin panel at /wp-admin/. Joomla uses /administrator/. Drupal uses /user/login. OpenCart, PrestaShop, and TYPO3 all have defaults that bots check automatically.

A default install is a higher-risk install because the bot does not have to guess where to look. It already knows.

What Bots Are Actually After

Some redirect your traffic to spam or fraudulent destinations without your knowledge. Some inject ads or affiliate links to skim revenue from your visitors. Some install code that uses your server resources to attack other targets. Some are after user data, email addresses, passwords, payment information if your site handles it.

Some attacks are about establishing persistence. Getting into a site and staying there quietly until the access becomes useful.

Why Site Size Does Not Matter

A common assumption is that a small business site is too obscure to be a target. The bots do not work that way. They are not evaluating whether your site is worth their time. They are running through every address on the internet and checking what is there.

A site with ten visitors a day is just as findable as a site with ten thousand. The only thing that changes the outcome is whether the site has been hardened against the standard probe sequence.

The Inherited Site Problem

When a business brings me in to take over a site built or maintained by someone else, the first step is a security audit. There is no way to know the history without looking at it.

An outdated plugin that was never updated. A login path never changed from the default. A user account created for a contractor two years ago and never removed. These do not announce themselves. The site looks fine. The vulnerability is quiet until something finds it.

 

Need a plan? Book a one-hour strategy session and walk away with a clear direction for your website, security, or digital strategy. All sessions are recorded with full transcription. $250 — Book a Strategy Call

Want to get to know me first? Book a free 15-minute intro call. No pitch, just a conversation. Book a 15-Minute Call

 

Cybersecurity Series

  1. The Hack I Couldn’t Fix Between Matches
  2. The Same Tools Powering AI Are Being Used to Attack Your Website
  3. 7 Signs Your Website May Already Be Compromised
  4. Why Small Business Websites Get Hacked (And Why It’s Usually Not Personal)
  5. What It Actually Costs to Clean a Hacked Website
  6. How Bots Actually Find Your Website